The LuxSci FYI Blog

by Erik Kangas, PhD, CEO

What Is HIPAA-Compliant Videoconferencing?

Published: October 10th, 2016

HIPAA-compliant videoconferencing is a form of telecommunication used in health settings, allowing multiple parties (e.g. doctor and patient) to communicate via two-way video and audio transmissions. It provides patients with the same privacy and confidentiality that applies to in-person visits, protecting their information and giving the same care to storage and dissemination of the video as to paper documents under the Health Insurance Portability and Accountability Act (HIPAA).

There are many advantages to videoconferencing with patients, rather than meeting them in-person. Some patients have limited mobility, making it difficult for them to physically visit a healthcare provider. Some patient follow-ups only require a quick conversation and don’t require a physical examination. For many patients, it may also be much more convenient to have a video conversation than to travel to doctor’s office. An additional benefit is the cost savings; videoconferencing can be much cheaper than in-person visits.

For these reasons, virtual visits to healthcare providers are becoming more popular. Dr. Ateev Mehrotra, a Harvard Medical School researcher, estimates there will be at least a million virtual doctor visits this year alone. That doesn’t include dentists, therapists, and other healthcare professionals who may also use videoconferencing technology.

Protected Health Information and HIPAA

It’s important to understand protected health information (PHI) and how it’s defined and governed by the Health Insurance Portability and Accountability Act of 1996.

In a nutshell, PHI is demographic information, medical history, test and laboratory results, insurance information, and other data a healthcare professional collects to determine appropriate care for him or her. This includes everything from a patient’s birthdate to their blood type. Importantly, this information is also “identifiable;” i.e., one can tell who this information describes.

When a doctor and a patient discuss a medical issue on a video call, they’re electronically exchanging PHI. As such, videoconferencing must be HIPAA-compliant.

HIPAA is a large and complex piece of legislation, and any organization that needs to be HIPAA-compliant should go through the Act thoroughly. This overview of its four rules is only a starting point for ensuring compliance.

HIPAA’s four rules govern how PHI is stored, transmitted, accessed, and more. Like every other aspect of healthcare, videoconferencing needs to abide by these rules.

Privacy Rule

Establishes standards to protect medical records and other PHI

Requires appropriate safeguards to protect the privacy of PHI

Sets limits and conditions on when and how PHI can be used and disclosed without patient authorization

Gives patients rights over their health information, including the right to receive a copy of their health records

Be offered by a provider who will sign a business associate agreement (BAA). When a technology provider offers a service to a healthcare organization, it becomes a business associate as defined by HIPAA. HIPAA requires contracts between healthcare providers and business associates so that all PHI and ePHI is safeguarded appropriately. Don’t do business with a video service provider who will not sign a BAA — it’s critical to ensuring everyone understands their obligations under HIPAA.

When a video service meets these criteria, it’s considered as an option for videoconferencing for healthcare organizations. But once healthcare providers choose and implement a particular service, they need to do the following:

Consider how the organization will define its legal health record. If the legal health record includes the video recording, consider how your organization will respond to patient requests for copies of the information.

Educate patients on videoconferencing. Make sure patients understand the precautions taken to protect their health information. Advise them to be in a private place during the videoconference where no one else can see or hear the conversation. Recommend they use a secure, password-protected Wi-Fi network rather than a public connection at a coffee shop or public library.

Whether you are a dentist, a physician, a therapist, or any other kind of healthcare professional, videoconferencing offers many benefits. It also raises many privacy and security issues that must be addressed before using any video service. If you’re considering offering videoconferencing at your medical practice, take the time to carefully consider your obligations under HIPAA. Work with a video service provider who understands the HIPAA rules. Offer your patients the secure, protected videoconferencing experience they deserve.